TELKOMNIKA Telecommunication Computing Electronics and Control 
Vol. 21, No. 4, August 2023, pp. 784~796 
ISSN: 1693-6930, DOI: 10.12928/TELKOMNIKA.v21i4.24388 o 784 


LSKA-ID: A lightweight security and key agreement protocol 
based on an identity for vehicular communication 


Murtadha A. Alazzawi!, Mohammed Tali Almalchy?, Ahmed Al-Shammari’, 
Ahmed Salih Al-Khaleefa*, Hayder M. Albehadili! 
'Department of Computer Techniques Engineering, Imam Al-Kadhum College (IKC), 10001, Baghdad, Iraq 
*Department of Mechanical Engineering, Faculty of Engineering, University of Misan, 62001, Iraq 
> Department of Computer Science, College of Computer Science and Information Technology, University of Al-Qadisiyah, 


Al Diwaniyah, 58002, Iraq 


‘Department of Physics, Faculty of Education, University of Misan, 62001, Iraq 


Article Info 


ABSTRACT 


Article history: 


Received Aug 14, 2022 
Revised Dec 14, 2022 
Accepted Feb 16, 2023 


Keywords: 


Authentication 

Chinese remainder theorem 
Privacy preserving 
Security 

VANETs 


Recently, a huge effort has been pushed to the wireless broadcasting nature 
in the open area. However, the vehicular ad hoc network (VANET) is 
disposed to various kinds of attacks. Hence, keeping the security in VANET is 
the most critical issue because of the VANET network related to human life. 
Thus, we propose a robust and lightweight security and key agreement-based 
identity protocol LSKA-ID for vehicular communication. Our protocol 
utilizes the elliptic curve cryptography, Chinese reminder theorem, and 
identity (ID)-based cryptosystem to resolve the issues found in the 
previously proposed schemes, in which our protocol can resolve the key 
escrow issues accompanied in most ID-based schemes. Also, it does not 
need batch verification operations, which cause some problems to the 
verifier in case the batch beacons have one or more illegal beacons. 
Moreover, the LSKA-ID protocol addresses the dependency on the trusted 
authority (TA) during the high frequent handover between the groups that 
may cause a bottleneck problem on the TA. The security analysis proves the 
correctness of the LSKA-ID protocol by using the random oracle model and 
has shown to be effective in a performance evaluation. 


This is an open access article under the CC BY-SA license. 


Corresponding Author: 
Murtadha A. Alazzawi 


Department of Computer Techniques Engineering, Imam Al-Kadhum College (IKC) 


10001, Baghdad, Iraq 


Email: murtadhaali @alkadhum-col.edu.iq 


1. INTRODUCTION 


To enhance the transportation, the car companies have started equipping vehicles by sensors to collect 
surrounding information including traffic- and safety-related information to be shared with other vehicles. Thus, 
a new technology named vehicular ad hoc network (VANET) have appeared recently. The VANET network is 
defined as a part of the mobile ad hoc network (MANET) and each vehicle in VANET represents a mobile 
node [1]. VANET provides not only traffic- and safety-related information but also other services such as live 
news, entertainment, and social interaction [2]. According to the high mobility property of the vehicles, a special 
protocol created for this network named dedicated short-range communication (DSRC) [3]. The last consents each 
vehicle equipped with onboard unit (OBU) to communicate with other vehicles by a technique called vehicle to 
vehicle (V2V) communication and with road-side units (RSUs) by vehicle to infrastructure (V2I) or 
infrastructure to vehicle I2V) communication [4]. The RSUs, OBUs, and the trusted authority (TA) are the 
main components of VANET network [5], [6]. The TA sustains the entire system and utilizes a secure wired 
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channel to exchange the information with the RSUs distributed alongside roads and also is responsible 

managing s road traffic. The OBU is a device equipped with every vehicle and organized to work with DSRC. 

As mentioned earlier, three types of communications, depended on DSRC in VANET, are called 
V2V, V2I, and I2V, means, vehicles can communicate with two VANET’s different components 
simultaneously to receive the required traffic and safety information. Consistent with DSRC protocol, a 
vehicle equipped with OBU broadcasts one traffic- and safety-related message per 100-300 ms to cover a 
few hundred meters [3]. Along with the broadcast using the wireless channels, communication among the 
components in VANETs is susceptible to numerous attacks such as eavesdropping, impersonation, replaying, 
modification, forgery, and man in the middle attacks. Hence, to improve VANET network and motivate 
community using it, the security and privacy challenges should be enhanced [7], [8]. The authentication 
mechanism is considered the basic in VANET system to guarantee security, which involves identifying 
authentication and message integrity [8]-[10]. An attacker can broadcast messages by impersonating an 
authorized vehicle and gaining illegitimate benefits if the identity authentication does not ensure. Moreover, 
if message integrity is not fulfilled, attacker also may alter messages or broadcast forged information to 
completely disrupt traffic without being stopped. Hence, authentication has to be carried out to validate an 
identity of the vehicle and to ensure the received messages integrity. Besides, the privacy also essential for 
VANET [11], [12], where the infiltration of the vehicle’s real identity can reveal driver’s information such as 
current location, movement, and driver’s identity. Consequently, the vehicle’s anonymity must satisfy in 
VANET to preserve the vehicle’s identity unless it achieves malicious activities. Once the authentication and 
privacy in VANET are satisfied, the other requirements such as non-repudiation, un-linkability, traceability, 
and revocation as well as resistance to attacks should be kept. Additionally, the efficient costs for 
computation and communication should be taken into consideration. 

To address the prior security requirements, massive academic studies with several approaches have 
been presented. Depending on the public key infrastructure (PKI), the pseudonyms-based scheme [10] was 
first working to provide the security requirements in VANET, where each vehicle is preloaded with 
thousands of certificates with corresponding public/private key pairs. Then, a group signature (GS)-based 
schemes are proposed [13]-[15]. To override the drawbacks in the pseudonyms-based and GS-based works, 
many researchers adopted the identity (ID)-based encryption [16]-[24] to carry out their efforts. At the 
beginning, the bilinear pairing operation was used to product the ID-based schemes, but it miscarried later 
due to high costs in computation and communication. However, the high costs were mitigated by using the 
elliptic curve cryptography (ECC). Recently, [25]-[28] used the ID-based concept with making the VANET 
network as groups, and each RSU considered the group’s manager that responsible for the joining the 
members and verifying the beacons. These schemes use either the bloom filter or the cuckoo filter to notify 
the vehicles which beacons are legal. Additionally, nowadays, some academic studies have been proposed 
rely on the certificateless cryptography [5], [29], [30]. 

Motivated by the VANET-related drawbacks mentioned earlier, in this work, we have proposed a 
lightweight ID-based protocol for VANET. Our protocol is different from other ID-based schemes, in which it 
can resolve security-related issues and mitigates the computation and communication costs. The contributions of 
our work are presented as: 

— The proposed LSKA-ID protocol resolves the key escrow issues accompanied in most ID-based schemes. 

—  LSKA-ID protocol uses the ECC without the need to batch verification operations, which cause some 
problems to the verifier in case the batch beacons have one or more illegal beacons. 

— The proposed protocol diminishes the ECC operations during the beacons generation and verification by 
using the group key that generated via Chinese reminder theorem (CRT). Therefore, the cost of the 
computation and communication will be low and suitable to VANET network. 

— Also, LSKA-ID protocol addresses the dependency on the TA during the high frequent handover 
between the groups that may cause a bottleneck problem on the TA. 


2. RELATED WORKS 

Pseudonyms-based, GS-based, and ID-based schemes are observed as three main approaches to 
provide anonymous authentication in VANETs. Besides, a few academic studies recently have been proposed 
depending on the certificateless cryptography. The pseudonyms-based schemes principally utilize PKI 
concept. Raya et al. [10] proposed an authentication scheme based on pseudonyms for VANET. This scheme 
meets the most requirements for VANET but require preload the OBU with a lot of certificates and their 
corresponding keys pair. This point leads to many drawbacks such as large memory storage on the vehicle to 
save these certificates and the certification revocation list (CRL) will grow exponentially to keep all revoked 
vehicle’s certificates as well as an inefficient cost in terms of the computation and communication. 

In GS-based schemes, the VANET can provide anonymity for the vehicle as well as treated the 
exponential growth problem for CRL in pseudonyms-based schemes to increase the CRL's size linearly. 
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In 2007, Lin et al. [13] utilizes the GS-based concept to present a new privacy-preserving authentication 
approach for VANET. The group master key is only known by the group manager that can trace the vehicle’s 
real identity. Many schemes such as [14], [15] are better than [13] have been proposed based on GS later. 
However, they are still unsuitable to VANET network due to the high cost in computation and 
communication, group management matters, and choose the group manager is complicated because it can 
track any vehicle according to its knowledge about every member. 

Using ID-based encryption, the VANET system can resolve the previously mentioned problems in 
pseudonyms-based and GS-based schemes. Sun et al. [16] proposed a security VANET scheme using ID-based 
encryption which can provide the privacy-preserving authentication and traceability requirements. In 2012, 
Shim [17] suggested a scheme named CPAS depending on pseudo ID-based encryption for VANET. In this 
scheme, the execution time of signature verification is decreased because of using the batch verification. 
Consequently, numerous schemes, used ID-based encryption, were proposed [18]-[20]. However, these 
schemes are inadequate such as inefficient cost in terms of the computation and communication. As also, 
they susceptible to the impersonation and modification attacks. In [21]-[24] mitigated the computation and 
communication overhead using the ECC. He et al. [21] constructed an ID-based authentication scheme for 
VANET, provided privacy-preserving authentication, but the author depended strongly on the tamper proof 
device (TPD). In 2016, Lo and Tsai [23] proposed an efficient [D-based authentication scheme does not rely 
on TPDs. Though, it requests a massive storage memory space to save its pseudo-IDs with the private keys. 
In addition to the high cost in terms of the computation and communication, the ID-based systems suffer from 
other issues such as the key escrow problems due to each OBU in VANET should know the system private key. 
In case one vehicle is compromised, key leakage will happen and the whole VANET system will be compromised. 
Also, it is easy to any trusted vehicle to broadcast by impersonating other or it can reveal the vehicle’ real identity 
due to it has the system private key. Moreover, the batch verification considered a big issue, where one beacon 
invalid causes rejection for all the beacons or requires additional computation to determine which one is invalid. 

Cui et al. [25], Zhong et al. [26], Cui et al. [27], and Alazzawi et al. [28] produced ID-based 
authentication schemes rely on the RSU in signatures verification, where the RSU verifies the receiving 
messages and broadcasts the valid and invalid with (bloom or cuckoo) filters. These schemes can resolve the 
key escrow problems and satisfy the security and privacy requirements for VANET, but still suffer from 
other issues. According to the handover in these types of approaches that is a frequent event, the bottleneck 
may be happening on the TA. Also, Cui et al. [25], [27] use the batch verification to mitigate the computation. 
Cui et al. [31] used the CRT to share key among RSU’s group members that use the advanced encryption 
standard (AES) encryption to encrypt the messages by this key. This scheme also suffers from the bottleneck on 
the TA and does not meet the non-repudiation requirement. Zhang et al. [32] divided the VANET to domains 
and each domain is a group from many RSUs. The vehicles in the group can get the shared key via CRT. 

To resolve the escrow problems, in 2018, Seyed et al. [33] proposed a novel and an efficient 
authentication scheme NECPPA. The concept behind the scheme is to save the system key into TPD on each 
RSU and the temporary key into TPD on OBU. That means, the vehicle has not the system key and only can get 
the temporary key from the RSU during the joining process to the RSU’s group. NECPPA suffers from the high 
cost in terms of the computation and communication according to the cryptography operations that depending 
on the bilinear pairing operation. Depending on the certificate less cryptography [34], the [5], [29], [30] proposed 
a new authentication schemes for VANET networks. These schemes could avoid the key escrow problems that 
found in ID-based schemes, but they did not able to resolve the high costs in computation and communication as 
well as they used the batch operation in their works. Our protocol adopted the ECC with CRT to resolve the 
aforementioned issues by generating a new and lightweight ID-based protocol. The ECC is used to achieve the 
security and privacy requirements based on ID encryption, whereas the CRT is used to update the group key. 


3. PRELIMINARIES 

In this section we present the system model which discusses the three components used in our 
protocol, followed by a threat model which shows the main types of adversaries who can use security attacks. 
Moreover, we are going to explain the main security and privacy requirements for design goals. Lastly, the 
elliptic curve cryptography and the Chinese remainder theorem used in this work are explained. 


3.1. The system model 

Three components are used in our protocol as shown in Figure 1. The first one is the TA that is 
accountable to prepare the basic and secure parameters in VANET as well as allows other components to register 
with the network. The RSU is a second component in the protocol, which is allocated as a router along the roadside 
and considers the manager of group in our protocol. Whereas the last one is the vehicle equipped with the OBU. 
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The RSU utilizes the DSRC technology to communicate with the vehicle’s OBU, and a wired channel with 

the TA. We assume that: 

— The TA is completely trusted, always online, and will not be compromised. 

— Comparing to OBU, achieving high computation operation by RSU influence power consumption 
because of its responsibility for vehicle authentication, generation shared group key. Also, RSU is 
capable of supporting TA to trace and revoke the identity of the malicious vehicles. 


EE DSRC connection 


Wired connection 


\ Group's range 
Figure 1. Illustration of system model components 


3.2. Threat model 

In our proposed LSKA-ID protocol, we make the assumption that the TA has the maximum level of 
security, making it extremely difficult for adversaries to attack it. The VANET network is prone to diverse 
security attacks according to the broadcasting nature in the open access. In like this networks, the following 

two main types of adversaries who can use security attacks [24]. 

— The external adversary: VANET network can be damaged by broadcasting various security attacks, such 
as (impersonation, modification, tampering, replay, man in the middle (MITM), and tracking) attacks. 
Attackers can violently surge essential information of VANET network and destroy critical network data. 

— The internal adversary: this type is usually some malicious authenticated vehicles that probable to 
increase their interest by the security weaknesses of the VANET network. For example, a vehicle may 
issue false message about traffic jam to make the other vehicles to take other routes so that the 
malicious vehicle will obtain better road resources. What is more, other malicious vehicles able to 
tamper the location info to fleeing from traffic accountability. 


3.3. Design goals 

Zhong et al. [22] indicated that VANETs should fulfill numerous security and privacy requirements, 
excluding message authentication, identity privacy preservation, traceability, un-linkability, non-repudiation 
and resistance to various attacks. In addition to these requirements mentioned, we believe that the following 
properties should also are provided by a designed system. 

— Key escrow challenge: a vehicle supposed to be not know the system private key to avoid some attack 
types especially insider attacks. 

— Revocation: the TA is capable to revoke any vehicle in case this vehicle cause did some malicious 
activities. 

— Not strong dependence on TA: the strong dependency on the TA in this network may lead to other issues 
on TA such as bottleneck problems. 

— Computation time: according to the DSRC protocol broadcasts more than three beacons per second, the 
OBU should be correspond with this case in terms of the generation time and verification time of the 
beacons. 

Thus, our scheme aims to achieve all the security and privacy requirements that mentioned above. 


3.4. Elliptic curve cryptography 

ECC was suggested in 1985 by Miller [35] and became widespread in design protocols of security. 
Let F, and EC represent a finite field and an elliptic curve over F, respectively, where p is a large prime 
number. The EC is based on the equation y? = x? + ax + b mod p, where (4a? + 27b*)mod p + 0 and 
x,y, a,b E€ F,. We assume that O is an infinite point, and G is an additive group with order q and generator P. 
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The G contains all points on the EC. If the P and Q be two points on the EC, main representatives of the EC 

are listed as [36]: 

— The point addition in G is defined as P + Q = R. 

— The scalar point multiplication in G is defined as sP = P + P+.. ... +P (s times). 

— The elliptic curve discrete logarithm problem (ECDLP). Based on EC, and given two points P,Q E G, 
the task of ECDLP is finding an integer s that meets Q = sP. 


3.5. Chinese reminder theorem CRT 

CRT is a theorem that engenders a unique result to concurrent linear congruence with coprime 
moduli [37], [38]. The methodology of CRT is when the remainders of the Euclidean division of a number n 
by numerous numbers are known by someone, then he/she has been able to determine suniquely the 
remainder of the division of n by the product of these integers, under the condition that the divisors are 
pairwise coprime. CRT’s theorem states known the remaining numbers of the Euclidean division of an integer 
number n by several integer numbers, then it is possible to identify matchlessly the remainder of the division of 
n by the product of these integer numbers, where the condition that divisors are pairwise coprime is valid. 

For more details, assume that {x,; Xz ........%,} are pairwise prime relatively positive integers, where, 
n > 2, set X = X1X2 Xn = X1X1 = X2X2 = + = XnXn, where, X; = X Jyp i = 1,2,3 ...n. The positive 
integer number of the congruence (1) is k = Xf 4 YiXiXi = Y1XıXı + yY2X2X3 + © + YnXnXn (mod X), 
where, X; is a positive integer number and meets the congruence equation X;X; = 1(mod x;), i = 1,2,3 n. 


k = y, (mod x4) 
k = y, (mod x3) (1) 


k = y,(mod x;) 


4. THE PROPOSED LSKA-ID PROTOCOL 

LSKA-ID protocol as mentioned in Figure 1 has three main components, TA, RSU, and vehicle. 
Mainly, seven phases are created to manage the LSKA-ID protocol, named initializing, registering, creating a 
shared key, joining, departing, signing and verifying, and revoking phases. The first two phases are 
responsible for initializing the system parameters and registering the vehicle respectively. During third phase, 
a group’s shared key will be created. In forth phase, mutual authentication will create between the RSU and 
OBU without the need to the TA. After complete the mutual authentication correctly, the vehicle joins the 
group and can broadcast beacons. LSKA-ID protocol updates the group’s shared key by using the sixth phase 
when the vehicle leaves the group. Last phase provides revocation process that allow to the TA to revoke any 
trusted vehicle when it starts to broadcast bogus beacons. 


4.1. Initializing phase 

The TA creates system parameters at this phase, including a finite field and an elliptic curve 
specified on it. Although this phase is standard, and the process seems identical. However, this phase is 
accomplished by the TA and the process of achieving it is followed the following steps and to adapt the 
system parameters are adjusted as: 

— The TA prepares the ECC’s parameters such as two large prime numbers p,q and an additive group G 
that contains all the elliptic curve EC’s points with order q and generator P. EC’s points defined by the 
equation y? = x? + ax + b mod p, where, a,b € F,. 

— The TA generates random integer s and performs P, = sP. Integer s is the private key and Pẹ is the 
public key. 

— TA chooses a secure hash function h. 

— TA sends the private key s to all RSUs. 

— TA broadcasts the system parameters {p, q, P, Pķ, h} periodically. 


4.2. Registering phase 

This phase should be happened at first when someone wanted to join the VANET. The driver 
chooses password PW, and then sends the PW with the real identity of the vehicle RID to the TA via a 
secure channel. The TA computes vehicle’s pseudonym PID = h(RID)s and saves {RID, PID, PW} into the 
vehicles’ registration list. At the end, TA sends PID to the vehicle. The vehicle will save {RID, PID, PW} 
into TPD inside the OBU. 
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4.3. Creating a shared key phase 
This phase is responsible for creating the group’s shared key depending on CRT. It achieved by the 

RSU in our proposed LSKA-ID protocol. The RSU completes the five steps during this phase: 

—  RSU rearranges the random integers m; for all vehicles that have succeeded to join the group. Let us 
suppose there are n vehicles joined the group; the matching random integers are arranged as 
M1, M2, M3, Mnp. 

—  RSU generates a random integer Ks less than q. 

— RSU computes (w =[[jfL,m,), (&i = /m;): (6; such that a@;.B; =1(modm,)), (A; = ai. bi), 
(p = dizi Ai), and (y = ọ. Ks). 

— RSU broadcasts {T, y , gs}, where ogs = ACT || Ks). 

— Any vehicle receives {T,y,05,}, it will check the validity of the timestamp T. If it is not valid, the 
vehicle drops the message. Otherwise, it computes Ks = y mod m; and checks if ogs =? A(T || Ks). 
If not, drop the message. Otherwise, it keeps Ks insid the TPD and start broadcasting using Ks. 


4.4. Joining phase 

This phase happens between the OBU and RSU and responsible for allowing the vehicle to join the 
group and obtain the shared key. At first, the vehicle’s driver should input the vehicle’s real identity and the 
password when he/she turns on the vehicle to start the OBU. The following steps show the joining process. 

— Firstly, OBU generates random integer r € Z*, and computes U = rP, RID* = h(RID) ® h(rP,), and 
PID* = PID ® h(rP,.). Then, it sends message request to the RSU to join the group and obtain the shared 
key. The content of the message is {T}, U, RID*, PID*, doggy}, where Gggy = A(T, Il U Il ACRID) |l PID). 

— When the RSU receiving the message {T}, U, RID*, PID*, doggy}, it checks the validity of the timestamp. 
(Note: timestamps are checked by implement if (A T > (T, — T;)), if it is true, then the time is valid, 
otherwise, the time is invalid, where, T, is the receiving time, T, is the sending time, and AT is the 
predefined delay time). If it is invalid, RSU drops the message. Otherwise, it computes: 


h(RID) = RID* ® A(U.s) and PID = PID* ® h(U.s), then it checks whether 
Sosy =? ACT, Il U I h(RID) Il PID). 


If not, RSU drops the message. Otherwise, it ensured the message integrity and will check RID in the 
revocation list RL to ensure the vehicle does not revoked. After that it implements (2) to test the 
vehicle’ legitimacy. 


PID.P = h(RID). Py (2) 


Proof of correctness: 
L. H.S. PID.P 
Due to: 
PID = h(RID).s 
= h(RID).s.P 
= h(RID). Px 
R.H.S. 
Consequently, the (2) is correct. 
If (2) does not hold, that means the vehicle illegal. Otherwise, RSU generates random integer m; € Z* 
and inserts the information {h(RID), PID, U, m;} to the group list GL. Lastly, it computes Sig = h(U). s 
as a signature to the vehicle and sends {Tz, Ks*,m;, Sig”, Orsu} to OBU, where Ks* = Ks @ h(RID), 
m; = m;@h(RID), Sig* = Sig B h(RID) and ogsy = h(T2 Il Ks Il m; Il Sig). 

— When the OBU receiving the message {T2, Ks*, mj, Sig”, Orsu}, it checks the validity of the timestamp T3, 
if it is invalid, it drops the message. Otherwise, it computes Ks = Ks* ® h(RID), m; = m; ®h(RID), and 
Sig = Sig* ® h(RID). Lastly, it checks whether opsy =? h(T2 Il Ks Il m; || Sig). If not, it drops the 
message. Otherwise, the joining process has been completed and the vehicle joined the group. 


4.5. Departing phase 

This phase happens when the vehicle leaves the group. Therefore, the RSU should update the shared 
key Ks to prevent the departing vehicle from access to the group. When the vehicle leaves the group, 
the RSU will implement the creating a shared key phase after remove the m; of leaving vehicle from the list. 
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4.6. Signing and verifying phase 
This phase happens when the vehicle wants to broadcast or it is receiving beacons as: 
— Signing process: it is responsible for signing the beacon using Ks and Sig. Firstly, the OBU 
computes Osig = h(Sig.P | T) and oy =U @ A(T || M |l asig I| Ks), then broadcasts the beacon 
{T, M, Osig, Om}. 


A(P. Sig Il T) = h(h(U). P; I T) (3) 


— Verifying process: it is responsible for verifying the receiving beacons. When the OBU receives 
beacon {T, M, dsig, Oy}, it checks the validity of the timestamp T. If it is invalid, it drops the beacon. 
Otherwise, it computes U = oy ® A(T || M Il asig Il Ks) and implements (4). 


Osig = h(h(U). Px II T) (4) 


Proof of correctness: 

L. H. S. Osig 

= h(Sig.P I T) 

= h(h(U).s.P I T) 

= h(h(U). Px I T) 

R.H.S. 
Consequently, the (4) is correct. If (4) does not hold, the OBU drops the beacon. Otherwise, it accepts the 
beacon and the vehicle sender is trusted. 


4.7. Revoking phase 

This phase happens when any trusted vehicle broadcasts spurious beacons. To protect the VANET 
system from the insider attack, the TA should be able to trace and revoke such as this vehicle. Our scheme 
provides revocation procedure as: 

— When the trusted vehicle starts broadcasts spurious beacons, the RSU can retrieve vehicle’s information 
from GL according to U that compute by implement U = oy ® A(T || M Il osig Il Ks), then it sends this 
information to the TA. 

— When the TA receiving the vehicle’s information, it revokes the vehicle by adding its real identity to the 
revocation list RL, then it sends response message to the RSU and forwards the RL to all RSUs. 

— When the RSU receiving the response message from the TA, it implements the departing phase to 
prevent the vehicle from continuation as member in the group. 


5. SECURITY PROOF AND ANALYSIS OF THE LSKA-ID 

In this section, we analyze LSKA-ID protocol with respect to the security and privacy requirements. 
Assume the ECDLP is difficult, we demonstrate the LSKA-ID protocol can force non-forgery. Security proof, 
security analysis and comparison and attack scenarios analysis are clarified in section 5.1 to section 5.3. 


5.1. Security proof 

In this subsection we are going to analyze our proposed LSKA-ID protocol formally. Based on the 
adversary activity and the VANET’s system model, the security model of LSKA-ID protocol is defined 
through a game between two parties. The first one is an adversary adv and the other is a challenger cha. 

— Theorem 1: LSKA-ID protocol can force non-forgery of messages under an adaptively chosen message 
attack in the random oracle model (ROM). 

— Proof: we suppose that Adv has ability to forge a genuine signature {T,M, osig, am} for the the traffic 
message M. Also, suppose that a ECDLP instance (P,Q = sP) is given for 2 points P,Q on E/E,, 
where s € Z. Now, by running Adv as a subroutine, Cha has been able to resolve the ECDLP with 
non-negligible probability. 

— Setup: Cha computes Py = Q = sP as a public key and establishes public parameters Pars = {q, P;, P, h}. 
Cha then sends Pars to Adv as well as constructs and maintains the following lists: 

a) HL,-oracle: Cha constructs HL, in the form (Sig,T,oh,) and sets it to empty. Once receiving a 
request from Adv with a message (Sig,T), Cha directly looks whether the tuple (Sig, T, oh) is in 
HL,. If it is occurred, Cha sends oh, = h,(Sig.P || T) to Adv. If it is not occurred, Cha will 
randomly select oh, € Z% and insert (Sig, T, oh) into HL,. Then Cha sends oh, = h, (Sig. P |I T) 
to Adv. 
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b) HLz-oracle: Cha constructs HL, in the form (T, M, sig, Ks, h2) and sets it to empty. Once 
receiving a request from Adv with a message (T, M, sig, Ks), Cha directly looks whether the 
tuple (T, M, dsig, Ks, ohz) is in HL}. If it is occurred, Cha sends oh, = hz (T || M Il asig Il Ks) to 
Adv. If it is not occurred, Cha will randomly select oh, € Zġ and insert (T, M, ds;g, Ks, ohz) into 
HL3z. Then Cha sends oh; = h2(T || M Il osig Il Ks) to Adv. 

c) Sign-oracle: once receiving a sign request over message M, Cha generates two random numbers 
Osig = Thy, oh; E Z4 and computes oy = U @ ohz. Then it adds (Sig,T, osig) into HL, and 
(T, M, dsig, Ks, ohz) into HL3. At last, Cha builds a beacon {T, M, Osig» Om} and sends it to Adv. 

d) Output: finally, Adv outputs a beacon {T, M, dig, am}. Cha will verify this beacon by utilizing (5). 


sig = h(h(U). Px II T) (5) 


If (5) is valid, Cha finishes the game. Consistent with the forgery lemma in [18], Adv can yield another legal 
beacon {T, M, Osig Om} that meets (6): 


Osig = h(A(U*). Px II T) (6) 
Based on (5) and (6), we can infer: 


(asig — asig) = h(h(U). Py Il T) — A(h(U*). Py Il T) 
h(h(U).s.P Il T) — h(h(U*).s.P IT) (7) 


However, the result in (7) contradicts the hardness of ECDLP. Thus, our proposed scheme under the ROM is 
resistant against a chosen adaptive message. Where the Sig is a signature of the vehicle that is calculated by 
RSU during the joining phase by using Sig = h(U).s. 


5.2. Security analysis and comparison 

A comprehensive study of identifying the robustness of proposed protocol LSKA-ID with recently 
three proposed Cui et al. [27], Ming and Cheng [30], and Pournaghi et al. [33] schemes in terms of the 
mentioned security properties in section 3.3. Let SP-1, SP-2, SP-3, SP-4, SP-5, SP-6, SP-7 and SP-8 denote 
message authentication, identity privacy preservation, traceability, revocation, un-linkability, non-repudiation, 
key escrow challenges, and not strong dependence on TA respectively. Table 1 shows the comparison results 
for security properties in VANETs. Next, we prove that LSKA-ID protocol can meet these properties as: 

— Message authentication: according to Theorem 1, no polynomial adversary can forge a valid message if 
the ECDLP is hard. Thus, the verifier could check the validity and integrity of the beacon 
{T, M, Osig, Om} by verifying whether the equation asig = h(h(U). Px I| T) holds. Thereby, the message 
authentication property is offered in LSKA-ID protocol. 

— Identity privacy preservation: in LSKA-ID protocol, the vehicle broadcasts the beacon {T, M, dsig, om} 
that has not information about the real identity of the vehicle, where, os;g = h(Sig.P || T) and 
oy =U MAT Il M |l ogig Il Ks). Therefore, the attacker cannot obtain the RID even he/she has the 
shared key Ks. Thereby, the identity privacy preservation property is offered in LSKA-ID protocol. 

— Traceability and revocation: according to revoking phase mentioned in section 4, the TA in LSKA-ID 
protocol can trace and revoke a trusted vehicle. Thereby, the traceability and revocation properties are 
offered in LSKA-ID protocol. 

—  Un-linkability: in LSKA-ID protocol, the vehicle broadcasts the beacon {T, M, dsig, om} that will be different 
for each broadcasting process, where, dsig = h(Sig.P II T) and oy =U @A(T IM Il osig Il Ks). 
Thereby, the un-linkability property is offered in LSKA-ID protocol. 

—  Non-repudiation: in LSKA-ID protocol, once any vehicle wants to broadcast beacons, adding to Ks it 
should its own signature Sig that got it during the joining phase. Therefore, it cannot deny their 
broadcasted beacons. Thereby, the non-repudiation property is offered in LSKA-ID protocol. 

— The key escrow challenges: as mentioned early, the vehicle in LSKA-ID protocol cannot obtain the 
system private key and got only a pseudonym during the registering phase as well as a shared key 
during the joining phase, which is updated after leaving or joining vehicle. Thereby, the key escrow 
challenges are offered in LSKA-ID protocol. 

— Not strong dependence on TA: in LSKA-ID protocol, the repeated operations like handover do not 
require to the TA intervention and only done between the RSU and OBU as mentioned in the joining 
phase. Thereby, the not strong dependence on TA property is offered in LSKA-ID protocol. 
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Table 1. Comparison results for security properties in VANETs 
Properties Cui et al. [27] Ming and Cheng [30] _ Pournaghi et al. [33] _ LSKA-ID protocol 


SP-1 Yes Yes Yes Yes 
SP-2 Yes Yes No Yes 
SP-3 Yes Yes Yes Yes 
SP-4 No No No Yes 
SP-5 Yes Yes Yes Yes 
SP-6 Yes Yes No Yes 
SP-7 Yes Yes No Yes 
SP-8 No No No Yes 


5.3. Attack scenarios analysis 
This subsection presents that LSKA-ID protocol is safe and can avoid various attacks. In the 
following theorms we are going to give a different attacks senarios. However, every scenario will prove that 

LSKA-ID protocol is resisted in all of them as: 

— Theorem 2: LSKA-ID protocol can avoid the replay attack. 

— Proof: replay attack is a type from network attacks working to repeat legal messages falsely. In LSKA-ID 
protocol, the timestamp T is inserted to a beacon {T, M, dsig, am}. By verifying freshness of T, the beacon 
receiver can resist this type of attacks. Thereby, the replay attack is resisted in LSKA-ID protocol. 

— Theorem 3: LSKA-ID protocol can avoid the impersonation attack. 

— Proof: to issue an impersonation attack, a fake beacon {T, M, dsig, am} that meets (2) should be generated 
by attacker. According to Theorem 1, the probability of the bogus beacon for the attacker to meet (2) can 
be negligible. 

— Theorem 4: LSKA-ID protocol can avoid the modification attack. 

— Proof: in the proposed LSKA-ID protocol, a digital signature osjg is included on the beacon 
{T, M, osig, Om}. According to Theorem 1, (3) will not be held in case any modified on the beacon 
{T, M, Osig, om}. Thereby, the modification attack is resisted in LSKA-ID protocol. 

— Theorem 5: LSKA-ID protocol can avoid the MITM attack. 

— Proof: according to Theorem 1, it is difficult for an attacker to issue this type of attack. Thereby, 
the MITM attack is resisted in LSKA-ID protocol. 


6. PERFORMANCE ANALYSIS OF THE LSKA-ID 

In this section, we achieve a performance analysis of our proposed protocol in terms of both 
computation and communication overhead. Besides, we present comparative the proposed protocol with three 
most recent Cui et al. [27], Ming and Cheng [30], and Pournaghi et al. [33] approaches. The cryptography 
operations in [33] are built on bilinear pairings and what was proposed in [27], [30] and proposed protocol 
uses ECC. To provide an 80-bit security level, we use in bilinear pairings, the additive group G generated 
based on EC E: y? = x? + x mod p, where, p is a 512-bit prime number, and in ECC, the additive group G 
generated based on EC E: y? = x? + ax + b mod p, where p is a 160-bit prime number and a, b € Zo- 


6.1. Computation cost 

This section investigates the computation cost of LSKA-ID protocol against a few existing approaches. 
Message signing (MS), verification of single message (VSM), verification of multiple messages phases 
(VMM). To guarantee comparison accuracy, the execution time of cryptographic operations must be under the 
same environments. In the experiment of LSKA-ID, the same execution time is employed, which is computed 
by Alshareeda et al. [39] scheme using the MIRACL library, as shown in Table 2. Figure 2 demonstrations the 
comparison result of the computation cost among three related approaches for MS and VMS, and Figure 3 
shows the computation costs of VMM for a number of beacons. 


Table 2. The execution time results of cryptographic operations 


Cryptography operation Execution time (ms) Description 

Top 5.811 Bilinear pairing operation 

Fon*bp 1.5654 Scalar multiplication operation in a group based on bilinear pairing 

Tsm—bp-s 0.1829 Small scalar point multiplication operation in a group based on bilinear pairing 
Tpa-bp 0.0106 Point addition operation in a group based on bilinear pairing 

Tmtp 4.1724 Map-to-point hash function 

Ten ace 0.6718 Scalar multiplication operation in a group based on ECC 

Vomazecéas 0.0665 Small scalar point multiplication operation in a group based on ECC 

Tpazece 0.0031 Point addition operation in a group based on ECC 

Th 0.001 General hash function operation 
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Figure 2. The computation costs of MS and VSM 
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Figure 3. The computation costs of VMM 


In the scheme of Cui et al. [27], the MS needs to (2T;m-ecc + 2T = 1.3456), the VSM needs to: 
(3Tsm-ecc + Tpa-ecc + 2Th = 2.0205) 
And VMM needs to: 
((2 + n)Tsm-ecc + Tpa-ecc + NTsm-ecc-s + 2nTh = 1.3467 + 0.7403n). 
In the scheme of Ming et al. [30], the MS needs to (2Tsm—ece + 2Tp = 1.3456), the VSM needs to: 
(4T sm—ece + 3Tpa-ecc + 3Th = 2.6995) 
And VMM needs to: 
((2 + 2n)Tsm-ecc + ANT pa—ece + 2NT sm—ecc-s + 3NT, = 1.3436 + 1.492n). 
In the scheme of Pournaghi et al. [33], the MS needs to (3Tsm_pp +3Th = 4.6992), the VSM needs to: 
(3T pp + Tsm-bp + Tmtp = 23.1708) 
And VMM needs to: 
(37 pp + NT sm—pp + nTmtp = 17.433 + 5.7378n). 
In the proposed LSKA-ID protocol, the MS needs to: (Tsm—ece + 2T = 0.6738), the VSM needs to: 
(Tsm—ecc + 2Th = 0.6738) 
And VMM needs to: 


(NT em—ece + 2NT, = 0.6738). 
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6.2. Communication cost 

This section investigates the communication cost of LSKA-ID protocol against a few existing 
approaches. As mentioned previously, the size the size of p and p elements in G and G are 160 bit and 512 bit, 
respectively, meaning that the size of each element in G is 320 bit and the size of each element in G is 1024 bit. 
Also, let us assume that the size of each hash function and each element in Za are 160 bit, and 32 bit in the 
timestamp. Table 3 shows the comparison of costs. 


Table 3. A comparison results of the computation cost among three related approaches and LSKA-ID protocol 


Protocols The size of beacon (bit) 
Cui et al. [27] 800 
Ming and Cheng [30] 1560 
Pournaghi et al. [33] 1344 
LSKA-ID protocol 352 


In Cui et al. [27], the vehicle broadcasts the following message {PID;,M;,0;}, where 
PID; = {PID}, PID?} € G and {o € Zg}, therefore the whole communication cost is 320 + 320 + 160 = 800 bit. 
In the same method, the communication cost for each of Ming and Cheng [30], and Pournaghi et al. [33] 
approaches are computed. However, in the LSKA-ID protocol, the vehicle broadcasts the message 
{T, M, Osig, am}, where {oy, Osig E Zå} and T is a timestamp, therefore the whole communication cost is 
160 + 160 + 32 = 352 bit. Thus, the proposed LSKA-ID protocol is more efficient than these protocols of 
Cui et al. [27], Ming and Cheng [30], and Pournaghi et al. [33] approaches in terms of communication costs. 


7. CONCLUSION 

In this work, we propose lightweight security and key agreement-based identity protocol LSKA-ID 
for vehicular communication. The proposed LSKA-ID protocol can provide the security requirements, such 
as message authentication, identity privacy preservation, traceability, and revocation. additionally, it is secure 
against the most well-known attacks. Besides, under the ROM, the proposed LSKA-ID protocol proves 
non-forgery in an adaptively chosen message attack. Moreover, the performance evaluation illustrations that 
the computational cost of the proposed LSKA-ID protocol is lower when compared to state-of-the-art 
schemes. Consequently, our proposed LSKA-ID protocol can resolve these challenges positively and is 
appropriate for vehicular communication. 
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